Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.
If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?
What “good” would my public IP do for a hacker if I have no ports forwarded?
Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?
I do have software firewalls on all my devices, but that wasn’t an informed choice. I just followed the Arch Wiki’s post installation guidelines.
NAT without a Firewall will translate both ways and may even allow any IP addresses to come in though a established port.
You need a Firewall
NAT is literally network translation, you’re right.
But if your router is not configured to allow remote administration console access, and you are not forwarding any ports, turn off uPnP, and if you’re super paranoid (and your router supports it) blocking external ICMP, then it is functioning quite similar to a perimeter firewall. No unsolicited external traffic goes farther than the WAN side of the router.
NAT will translate both ways ONLY if the outbound (from the internal network) is initiated first.
That’s called a Firewall
Also you don’t need to worry about icmp
I quick search led me to: https://www.tencentcloud.com/techpedia/101586
However, in an ordinary consumer grade scenario, I don’t see how anybody other than the ISP could send ICMP messages to one’s router, which is why I don’t worry about it.
ICMP is important for routing related functions like MTU detection. I would allow all ICMP but if you much block it for some reason make sure to whitelist packet too big and probably destination unreachable.
On a modern connection ping is not much of a threat as it takes minimal resources to respond. Modern hardware can handle thousands of pings with no issue.